1. Module 3 Planning for Active Directory®
Presentation: 60 minutes
Lab: 60  minutes
Preparation for Demos
To prepare for demos in this module, you should launch the 6430B-SEA-DC1 and 6430B-SEA-SVR1 virtual machines.
Preparation for Labs
The lab at the end of this module also uses two virtual machines. If you wish, you can ask students to launch them at the start of the module. The virtual machines required for the lab are 6430B-SEA-DC1 and 6430B-SEA-SVR1.
NOTE: If you are using student computers with 2 GB RAM, you should boot up the virtual machines used in this lab at the start of the module, or at the start of the last lesson, as boot times may be significant and slow the class down.

2. Module Overview Selecting a Forest and Domain Topology
Selecting a Domain and Forest Functional Level
Planning Identity and Access Services in Active Directory
Implementing Active Directory in the Physical Network
Start planting the seed in the students’ minds that now they are going to incorporate the tools from Module 2 (Name Resolution, Perimeter Network definition, security, and others) into their Active Directory configuration. As each topic is addressed, be sure to map back how it relates to DNS, defining boundaries for internal versus external access and implications for maintaining or strengthening security.
Do seek student involvement by finding out about various aspects of their network. Be prepared that students may not know a great deal of detail about how their Active Directory networks are set up (remember–these students likely have always worked on the support end, and not the design or input end of networking before). As an overall goal for the class, the students should have a better understanding of their own Active Directory design or they should be able to determine and/or understand better how their Active Directory networks have been set up.
Throughout this module make a point of emphasizing that the physical and logical aspects of Active Directory should complement each other. Even though there is no technical dependency upon each other, the logical and the physical characteristics of Active Directory do impact each other. This can set the stage for addressing inevitable questions about the “best” Active Directory design. Of course, there is no such thing as a singular best design. Rather, the “best” design is one that comes closest to meeting the needs of the organization while taking into account whatever constraints the implementation is bound by. 2

3. Lesson 1: Selecting a Forest and Domain Topology
Overview of Active Directory
Considerations for Designing a Forest Infrastructure
Guidelines for Designing an Active Directory Domain Infrastructure
Determining Whether to Implement Multiple Trees in Your Forest
What Is a Trust Relationship?
Discussion: Selecting an Active Directory Topology

4. Overview of Active Directory
Forest
Schema
Global catalog
Tree
Domain
Site
Organizational unit
Explain how multiple domains with the same naming structure are referred to as a tree and that multiple trees can be part of a forest.
Also, describe how the automatic trust relationships between domains allow permissions to be assigned between domains. Mention to students that each domain does not directly trust all other domains. Transitive trust relationships are used to build forests in which all domains are trusted.
All domains in a forest share the same schema and configuration information.
Question: Does a trust automatically allow users in one domain to access resources in another domain?
Answer: No. When trust relationships are in place, users must still be granted permission to access resources in other domains.
Question: How has your organization used domains to create security boundaries? If your organization does not use domains, how might domains be used in your organization?
Answer: Answers may vary. This question should provide students with an opportunity to reflect on the relationship between the logical structure of a business organization and the use of one or more domains. In general, students should demonstrate an understanding of how domains represent groupings of users and computers that follow a common security policy.
Question: Describe one scenario when you would use a domain to organize a network. Describe one scenario when you would use an OU to organize a network.
Answer: Answers may vary. In general, students should understand that a domain represents a security boundary, and requires at least one domain controller. Because multiple OUs can exist within a single domain, they are useful for mapping the logical structure of Active Directory to the actual structure of the organization in a more fine-grained manner than domains. However, in cases where differing security requirements exist within an organization, multiple domains will often be required.

5. Considerations for Designing a Forest Infrastructure
Isolation requirements limit design choices
Design negotiation can be a lengthy process
Balance costs against benefits
Document the proposed forest design
Remind students about the built-in administration groups of Domain Admins, Enterprise Admins, and Schema Admins and the options that exist for delegating permissions. Be ready to field questions about the use of third-party delegation tools to control Active Directory access.
If either you or the students have good anecdotes about how design negotiations were successfully addressed, here would be a good time to share them. Be careful not to allow anecdotes without a fruitful end to dominate, however; no value-add in persistent failures. Try to leave students with ideas that can help them be successful when they go into negotiations for their designs.
Stress to the students that proper design does not necessarily mean having to use expensive third-party tools. As long as the information is recorded and can be disseminated and edited easily, that is the most important thing.

6. Guidelines for Designing an Active Directory Domain Infrastructure
Review domain models
Determine number of domains required
Consider upgrade implications from existing domain infrastructure
You might like to review the domain models implemented in earlier versions of Windows®— such as the single domain, the single master domain, the multimaster domain, and the complete trust models. This is probably of more relevance to students whose organizations were running earlier versions of Windows. Discuss why each model was used, and the problems created by its implementation. Explain how AD DS helps to alleviate these issues.
Question for students: How many domains exist within your forest?

7. Determining Whether to Implement Multiple Trees in Your Forest
Use a single tree unless your name space requires noncontiguous names within your organization
Emphasize to students that needing to support multiple SMTP domain names is *not* valid rationale for implementing multiple trees in Active Directory. Most likely, the reasons for implementing additional Active Directory namespaces will be political, and not technical. There is no significant security advantage associated with using multiple Active Directory namespaces.

8. What Is a Trust Relationship?
Forest
(root)
Tree/Root
Trust
Shortcut Trust
External
Kerberos Realm
Realm
Domain D
Forest 1
Domain B
Domain A
Domain E
Domain F
Domain P
Domain Q
Parent/Child Trust
Forest 2
Domain C
Trust relationships provide a means for account objects such as users and computer to use their single Active Directory account to access resources in other than their home domain. Even after authentication is accomplished, however, the account object is still constrained by access permissions that are set within the non-local domain. A trust relationship is, then, a logical pathway to non-local domain resources. Level of access to resources is not determined by the administrator of the domain where the account resides, rather it is the administrator of the resource domain that decides who or what gets access to the resources.
Have students tell you which types of trust relationships get created automatically, and which ones must be created manually. Also have the students relate what the prerequisites are for implementing the various trusts.
Remind the students that shortcut trusts accomplish nothing if the underlying site topology differs from the logical topology.
Teaching Tip: Before showing this slide, draw all the domains on the board. Ask the students how many Forests, Trees, and so on exist. Ask the students the reasoning for their rationale. This exercise can help reinforce the function of trust relationships.

9. Discussion: Selecting an Active Directory Topology
Given the following scenario, which Active Directory topology would you recommend?
Teaching Tip: Divide room into two teams. One team will role play the customer who is specifying the specific needs of the above network. The other team is to come up with the design solution. The Design Team may only ask 5 questions for clarification. The purpose of such an exercise is to emphasize to the class the importance of clear communications on both sides when designing this (or any other) network activity.
15 min

10. Lesson 2: Selecting a Domain and Forest Functional Level
What Are the Domain Functional Levels?
What Are the Forest Functional Levels?
Demonstration: Modifying the Functional Level

11. What Are the Domain Functional Levels?
Windows 2000 Native
Windows Server 2003
Windows Server 2008
Make sure your students are familiar with the process of upgrading the functional level; that is, they must pay particular attention to which Windows operating system versions are supported by each functional level. A change from Windows 2000 native to Windows Server can only occur when you have removed all your Windows 200 Server domain controllers from the relevant domain.
Emphasize to students that functional levels refer to the NOS running on DCs (and by extension – GCs) only. Member servers, workstations, and so on do not determine functional levels (which is a common misconception among those new to Active Directory).
Also emphasize that any/all applications that are Active Directory–aware (such as Exchange Server, Microsoft SQL Server®, Cisco CallManager, and so on) should be thoroughly tested for compatibility issues before upgrading functional levels. For testing of this nature, consider establishing a virtualized lab environment to conserve costs of hardware and software.

12. What Are the Forest Functional Levels?
Windows 2000 Native
Windows Server 2003
Windows Server 2008
The following guidelines apply to raising the domain or forest functional levels:
You must be a member of the Domain Admins group to raise the domain functional level.
You must be a member of the Enterprise Admins group to raise the forest functional level.
You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. The AD DS administrative tools that you use to raise the domain functional level (the Active Directory Domains and Trusts snap-in and the Active Directory Users and Computers snap-in) automatically target the PDC emulator when you raise the domain functional level.
You can raise the forest functional level on the schema operations master only. Active Directory Domains and Trusts automatically targets the schema operations master when you raise the forest functional level.
You can raise the functional level of a domain only if all domain controllers in the domain run the version or versions of Windows that the new functional level supports.
You can raise the functional level of a forest only if all domain controllers in the forest run the version or versions of Windows Server operating system that the new functional level supports.
You cannot set the domain functional level to a value that is lower than the forest functional level.
You cannot lower the domain or forest functional level after you have raised it.
You cannot reverse the operation of raising the domain and forest functional levels. If you have to revert to a lower functional level, you must rebuild the domain or forest, or restore it from a backup copy.

13. Demonstration: Modifying the Functional Level
In this demonstration, you will see how to:
Raise the domain functional level
Raise the forest functional level
Task 1 – Raise the domain functional level
Start the 6430B-SEA-DC1 virtual machine.
When the virtual machine has started, start the 6430B-SEA-SVR1 virtual machine. You will need this VM for subsequent demonstrations.
Switch to the SEA-DC1 computer.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console, right-click Adatum.com and then click Raise domain functional level.
In the Raise domain functional level dialog box, in the Select an available domain functional level list, click Windows Server 2008, and then click Raise.
In the Raise domain functional level dialog box, click OK.
In the subsequent Raise domain functional level dialog box, click OK.
Close Active Directory Users and Computers.
Task 2 – Raise the forest functional level
Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
In the console, right-click Active Directory Domains and Trusts [SEA- DC1.Adatum.com], and then click Raise Forest Functional Level.
In the Raise forest functional level dialog box, in the Select an available forest functional level list, click Windows Server 2008, and then click Raise.
In the Raise forest functional level dialog box, click OK.
In the subsequent Raise forest functional level dialog box, click OK.
Close Active Directory Domains and Trusts.

14. Lesson 3: Planning Identity and Access Services in Active Directory
What Is AD CS?
What Is AD LDS?
What Is AD FS?
What Is AD RMS?

15. What is AD CS? Extends the concept of trust
A certificate from a trusted certificate authority (CA) proves identity
Trust can be extended beyond the boundaries of your enterprise, as long as clients trust the CA of the certificates you present
Creates a public key infrastructure (PKI)
Confidentiality, Integrity, Authenticity, Non-Repudiation
Many uses
Internal-only or external
Secure Web sites (SSL)
VPN
Wireless authentication and encryption
Smart card authentication
Integration with AD DS powerful, but not required
Position the role of AD CS and PKI as a an important step towards enhancing or extending information protection and security infrastructure.
Explain that, within a domain, clients trust domain controllers to authenticate users because clients have an already established trust relationship with the domain controller. A trust relationship is based on a shared secret, the computer’s account and in particular its password. A computer logs on to the domain and, through the process, proves its identity to the domain controllers, but the process is also two-way: the authenticating domain controller also proves its identity to the client. All of this is done because, to make the Kerberos authentication story very simple, both sides are able to prove that they know the computer’s password.
Certificates are used to create a trust relationship where one does not already exist. Use the example of a secure Web site. When you browse to a popular e-commerce site to make a purchase, that transaction is secured with secure sockets layer (SSL), and your browser indicates that it trusts the identity of the Web site, usually by displaying a lock icon.
How does your computer know that the Web server is who it says it is? Because of the Web server presents a certificate has been issued by a certificate authority (CA) is trusted by your browser. You might mention VeriSign or Thawte as a trusted root CA. So, in effect, when the Web server presents a certificate issued by a trusted CA, your browser says, “If [VeriSign] says you’re who you say you are, then I trust that you are who you say you are.”
Use an example of a passport (or a driver’s license). When you travel, you must provide some sort of certificate to authenticate that you are who you say you are. These forms of identification have to come from an authority, such as the U.S. Department of State. This authority performs a background check first to make sure that you are, in fact, who you are claiming to be, before issuing you a passport. If the passport service were to get a reputation of issuing passports to people who are not truthful, it would reduce the effectiveness of the issued passports, as they may not be trusted. A Certification Authority is responsible for generating a certificate for a requestor, much like the U.S. Department of State is responsible for issuing passports to U.S. citizens. The requestor then can use this certificate to identify itself with other services. The CA’s reputation is at stake when it issues certificates to requestors, and it is responsible for making sure the requestor, and the holder of the certificate that it issues, are valid.
Windows has a list of trusted root CAs (including VeriSign and Thawte). That list is updated automatically as part of Windows Update. Explain that certificate authorities are a chain. A root CA can issue a certificate to another CA. The second-level CA can issue individual certificates to services, computers, or users. The chain of certificates ensures that a client that trusts the top-level, root CA, will trust certificates issued by lower-level CAs.
(CONTINUED)

16. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
If they are curious to know how all of this happens in such a way trust can be established, you can explain that a certificate consists of a private key and a public key. If a Web server uses its private key to encrypt data, and the client is able to use the public key to decrypt the data, the client knows that the only way the data could have possibly been encrypted and decrypted successfully is if the data was encrypted by the private key. So even though the client doesn’t have the private key, it does this server must.
Turn your attention next to the uses of certificates and of a public key infrastructure (PKI). What are these certificates used for?
Explain that a PKI can be established that is internal only. In this case, the root CA is internal to your organization. This reduces the cost of establishing the PKI, but limits the effectiveness of certificates outside organization. In order for an outside client to trust the certificates generated by your PKI, the client would have to import your root CA as a trusted CA. (This can be done with Group Policy.) Alternately, your PKI can be based on a trusted, extra root CA. This then allows you to create and maintain a PKI that generates certificates trusted outside your organization. Of course, you can create a mix and match as well.
Explain that AD CS can be run on a stand-alone server, without AD DS, however it is much more powerful to integrate AD CS with AD DS, because Active Directory Domain Services can act as a certificate store and can provide a framework for the management of certificates, because certificates must be obtained, renewed, and revoked during the course of their life cycle.

17. Active Directory Lightweight Directory Services
What Is AD LDS?
AD DS
Active Directory Lightweight Directory Services
As a working example, cite how extranet partners might be granted access to a distributed Web application that resides in a perimeter network. The extranet user accounts could be maintained in the AD LDS databases, along with special attributes that have been defined to support the application. All this can sit in the perimeter network without needing to be processed by your internal Active Directory network.
If you are familiar with Exchange Server, consider discussing the Edge Transport server role and its use of the AD LDS.

18. What Is AD FS? Corporate Network Perimeter Network Active Directory
If students have no examples of their own, relate how partner organizations can be granted limited access to network resources (file shares, databases, and so on) without your organization needing to maintain additional account objects in Active Directory.
Active Directory
Active Directory
Internal Client
Account Federation Server
Resource Federation Server
Corporate Network Client
AD FS Enabled Web Server

19. What Is AD RMS? 1 2
Be prepared to answer questions about how RMS can be implemented with or without the user needing to initiate security. Students should also be cautioned that RMS may not always be the solution for all situations. Implementation with external parties will require some degree of cooperation and planning, which may not always be practical. 1 2

20. Lesson 4: Implementing Active Directory in the Physical Network
What Is a Domain Controller?
Determining the Placement of Domain Controllers
Demonstration: Creating a Site
What Is a Read-Only Domain Controller?
Demonstration: Deploying an RODC

21. What Is a Domain Controller?
Domain controllers :
Provide authentication
Host operations master roles
Describe a domain controller to students. Talk about what happens when a domain controller is unavailable.
Mention that the domain controller has a copy of the domain partition for the local domain, the configuration partition, and the schema partition.
Describe a global catalog server to students as well, indicating that it has some domain information from all domains. Give the example of Exchange Server using global catalog servers to look up mailbox locations.
You can also mention that dcpromo can be used to make a member server into a domain controller.
A new feature in Windows Server 2008 is the ability to have a Read-Only DC. This is used for application support or for placement in a perimeter network where security is a concern.
Question: How many domain controllers should you have?
Answer: In a large organization, you should have at least two domain controllers per physical location. In smaller organizations, you may have only one domain controller per physical location. Some smaller locations may use a domain controller that is located across a wide area network (WAN) link.
Host the global catalog
Support group policies and SYSVOL
Provide for replication

22. Determining the Placement of Domain Controllers
Bellevue
To collect network map information, make the students aware of network discovery and diagramming tools that exist. There is a network discovery tool available for Microsoft Visio®, for example.
Seattle
Redmond

23. Demonstration: Creating a Site
In this demonstration, you will see how to:
Create a site
Configure the replication interval and schedule
Task 1 – Create a site object
On the SEA-DC1 virtual machine, click Start, point to Administrative Tools, and then click Active Directory Sites and Services.
In the console, expand Sites, right-click Sites, and then click New Site.
In the New Object – Site dialog box, in the Name box, type Branch-Office-1.
In the Link Name list, click DEFAULTIPSITELINK, and then click OK.
In the Active Directory Domain Services dialog box, click OK.
Task 2 – Configure the replication interval and schedule
In the console, expand Inter-Site Transports, expand IP, and then click IP.
In the results pane, in the list, right-click DEFAULTIPSITELINK, and then click Properties.
In the DEFAULTIPSITELINK Properties dialog box, in the Replicate every list, type 15, and then click Change Schedule.
In the Schedule for DEFAULTIPSITELINK dialog box, click Sunday, and then click Replication Not Available.
Click Cancel.
In the DEFAULTIPSITELINK Properties dialog box, click OK.
Close Active Directory Sites and Services.

24. What Is a Read-Only Domain Controller?
RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication
RODC
If students are familiar with Windows NT 4.0, compare the RODC with the Windows NT Backup domain controller (BDC). These domain controllers are similar, but the RODC provides several more features, such as delegating administration and credential caching.
Mention that RODCs are designed primarily to be deployed in a branch office.
Question: In your work environment, do you have scenarios where an RODC would be beneficial?
Answer: Answers may vary. Students should be able to identify the primary scenarios where RODC servers are useful, which is remote sites, placements with lower physical security, or edge placements. And they should be able to relate their situation to these use scenarios.
Reference
AD DS: Read-Only Domain Controllers
RODCs provide:
Additional security for branch office with limited physical security
Additional security if applications must run on a domain controller
RODCs:
Cannot hold operation master roles or be configured as replication bridgehead servers
Can be deployed on servers running Windows Server 2008 Server core for additional security

25. Demonstration: Deploying an RODC
In this demonstration, you will see how to:
Prepare the forest
Deploy an RODC
Configure the password replication policy for the RODC
Task 1 – Prepare the forest
ON SEA-DC1, click Start, and then click Command Prompt.
At the Command Prompt, type E:, and then press ENTER.
At the Command Prompt, type cd\5118\adprep, and then press ENTER.
At the Command Prompt, type adprep /rodcprep, and then press ENTER.
Close the Command Prompt.

26. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Task 2 – Promote the new domain controller
Switch to the SEA-SVR1 computer.
Log on to the SEA-SVR1 virtual machine as ADATUM\administrator with a password of Pa$$w0rd.
Click Start, and in the Start Search box, type dcpromo, and then press ENTER.
In the Active Directory Domain Services Installation Wizard, select the Use advanced mode installation check box, and then click Next.
On the Operating System Compatibility page, click Next.
On the Choose a Deployment Configuration page, click Existing forest, and then click Next.
On the Network Credentials page, click Next.
On the Select a Domain page, click Next.
On the Select a Site page, in the Sites list, click Branch-Office-1, and then click Next.
On the Additional Domain Controller Options page, select the Read-only domain controller (RODC) check box, and then click Next. (Note: Leave the other check boxes selected).
In the Static IP assignment dialog box, click Yes, the computer will use a dynamically assigned IP address (not recommended).
On the Specify the Password Replication Policy page, click Next.
On the Delegation of RODC Installation and Administration page, click Next.
On the Install from Media page, click Next.
On the Source Domain Controller page, click Next.
On the Location for Database, Log Files, and SYSVOL page, click Next.
On the Directory Services Restore Mode Administrator Password page, in the Password box, type Pa$$w0rd.
In the Confirm password box, type Pa$$w0rd, and then click Next.
On the Summary page, click Next.
In the Active Directory Domain Services Installation Wizard dialog box, select the Reboot on completion check box.

27. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Task 3 – Configure the password replication policy
When SEA-SVR1 has restarted, log on to the SEA-SVR1 virtual machine as ADATUM\administrator with a password of Pa$$w0rd.
Switch to the SEA-DC1 virtual machine.
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console, expand Domain Controllers.
In the results pane, right-click SEA-SVR1, and then click Properties.
In the SEA-SVR1 Properties dialog box, click the Password Replication Policy.
Click Add, and in the Add Groups, Users and Computers dialog box, click Allow passwords for the account to replicate to this RODC, and then click OK.
In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type SalesGG, click Check Names, and then click OK.
In the SEA-SVR1 Properties dialog box, click Apply, and then click Advanced.
In the Advanced Password Replication Policy for SEA-SVR1 dialog box, click the Resultant Policy tab.
Click Add, and in the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box, type Joe, click Check Names, and then click OK.
Click Close.
In the SEA-SVR1 Properties dialog box, click OK.

28. Lab: Planning for Active Directory
Exercise 1: Selecting a Forest Topology
Exercise 2: Planning Active Directory for a Branch Network
Exercise 3: Deploying a Branch Domain Controller
Logon information
Virtual machine
6430B-SEA-DC1
6430B-SEA-SVR1
User name
Adatum\Administrator
Password
Pa$$w0rd
Estimated time: 60 minutes

29. Lab Scenario
Adatum Corporation has recently acquired Contoso, a company with a range of compatible products. Allison Brown, the IT Manager, has asked you to create a document with recommendations about how best to incorporate the Contoso network infrastructure into that of Adatum.
Adatum has a number of new sales offices in the western region. Allison Brown has asked you to determine the appropriate Active Directory configuration for them, and to document your proposals.
You have been tasked with performing the deployment of the new domain controller at the Redmond sales branch office.

30. Module Review and Takeaways
Review Questions